vCloud Director 8.20: Granular Role Based Access Control

vCloud Director 8.20 introduces the possibility to create granular roles at tenant and system level. This is important for service providers who want to differentiate which tenants have access to specific features (for example advanced networking services). This also gives opportunity to tenants to create their own roles that correspond to their team structure (e.g. network administrator). And lastly, system administrator can create additional roles in system context with access to subset of features.

A role is a set of rights which can be assigned to a user or a group. There are many new rights in vCloud Director 8.20. A few examples:

Access to Distributed Firewall:

Enable / Disable Distributed Firewall

Gateway Advanced Services

Configure IPSEC VPN

Configure Load Balancer

Configure BGP Routing

Configure OSPF Routing

Configure SSL VPN

Configure Firewall

Configure DHCP

Configure NAT

Configure L2 VPN

Configure Static Routing

Or system level rights like:

Host

Upgrade Host

Repair Host

Migrate Host VMs

Open a Host in vSphere

Enable / Disable a Host

Prepare / Unprepare a Host

View Host

Prior vCloud Director 8.20

Only global roles could be created by system administrator next to handful of predefined roles (vApp Author, Organization Administrator, …).

Every organization would have access to the global and predefined roles.

Organization administrator could assign the roles to organization users.

Service provider could not differentiate access to features among different tenants.

There was only one system administrator role with access to everything.

vCloud Director 8.20

Roles are no longer global, but instead are organization specific.

Former global and predefined roles become role templates.

Service provider can create new role templates.

Role templates are used to instantiate organization specific roles.

Service provider can selectively grant rights to specific organizations.

Organization administrator can create own organization specific roles from subset of granted rights.

New roles can be created in the system context from subset of system administrator rights.

The transition from pre-vCloud Director 8.20 role management happens during upgrade to 8.20. Existing roles are transferred to role templates and each organization gets its own roles instantiation based on the role templates. The UI has changed and now includes Organization column and filter. A new System organization is added with default System Administrator role.

vCloud Director 8.10 UIvCloud Director 8.20 UI

Tenant Rights and Role Management

When a new organization is created it will have access to all rights that are used in role templates. System administrator can grant additional rights to the organization with vCloud API only:

GET /api/admin … get references to all rights in VCD instance

GET /api/admin/org/<org-id>/rights … get references to all rights in the organization

PUT /api/admin/org/<org-id>/rights …edit rights in the organization

System administrator or Organization Administrator can create new roles in its organization with vCloud API only:

POST /admin/org/<org-id>/roles

Note: While system administrator can edit tenant roles in the UI, editing of a role based on role template would change the role template and thus change it for all organizations (more below).

How to Create Global Role

The UI no longer allows creation of global roles, only organization specific roles can be created that way.

However, there is a way to create global role (actually role template) with the legacy API (e.g. version 9.0, 20.0 but not 27.0). Here is an example:

In UI add/remove the right from the role which is based on role template from any organization.

To add a new right, the organization needs to have access to the right. If it does not have, add it first with the API calls mentioned above.

Adding or removing rights to a role based on role template will affect all other organizations.

Adding right: other organizations will see the new right if their instance of role template has been granted the right. If the organization did not have access to the right, the right will not be added!

Removing right: in other organizations the right will be removed from the role based on the role template

Hi Tomas,
I think the following
GET /api/org//rights … get references to all rights in the organization
PUT /api/org//rights … edit rights in the organization
are missing the /admin and should instead be
GET /api/admin/org//rights … get references to all rights in the organization
PUT /api/admin/org//rights … edit rights in the organization

Great articles Tom and Giuliano, we had a lot of tenants using RBAC so rather than modify each Org manually I wrote a PowerCLI script to add the new Gateway Advanced Services rights to an org by simply supplying the Organization and API endpoint. The script pulls down the XML for the current rights, adds all the new Gateway Advanced rights and re-uploads it to the API. I’ve documented it all on my blog at http://kiwicloud.ninja/2017/08/vcloud-director-8-20-edge-gateway-roles/ – hopefully will be useful to someone else.

Hi Tomas, It seems every time i need to do something, most of the work has already be done for me by you, thanks. Is there way via the API to enable the newly added rights for a role? I can find lots of examples on how to add the rights, but nothing on enabling them for a role.
Thaks
Ian..

VCD 8.20, 9.0 and 9.1: you can add rights to a role via UI (as system admin) in the flex UI. Via API you would get the right and roles UUIDs (GET api/admin) and edit the role by adding the right UUID (GET|PUT /api/admin/role/)